feat: add ESO threat model (#2308)

* feat: add ESO threat model

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* Update docs/guides/threat-model.md

Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>

* feat: add controls to disable CRDs C05

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

---------

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
Co-authored-by: Gustavo Fernandes de Carvalho <gusfcarvalho@gmail.com>

docs/api/components.md

@@ -16,3 +16,10 @@ These features are optional but highly recommended. You can disable them with he
 
 <br/>
 ![Component Overview](../pictures/diagrams-component-overview.png)
+
+
+### TLS Bootstrap
+
+Cert-controller is responsible for (1) generating TLS credentials which will be used by the webhook component and (2) injecting the certificate as `caBundle` into `Kind=CustomResourceDefinition` for conversion webhooks and `Kind=ValidatingWebhookConfiguration` for validating admission webhook. The TLS credentials are stored in a `Kind=Secret` which is consumed by the webhook.
+
+![](../pictures/eso-threat-model-TLS%20Bootstrap.drawio.png){: style="width:70%;"}

hack/api-docs/mkdocs.yml

@@ -13,6 +13,7 @@ theme:
     - navigation.expand
   custom_dir: ../../overrides
 markdown_extensions:
+  - attr_list
   - pymdownx.highlight
   - pymdownx.superfences
   - admonition
@@ -79,6 +80,7 @@ nav:
     - Operations:
       - Multi Tenancy: guides/multi-tenancy.md
       - Security Best Practices: guides/security-best-practices.md
+      - Threat Model: guides/threat-model.md
       - Upgrading to v1beta1: guides/v1beta1.md
       - Using Latest Image: guides/using-latest-image.md
       - Disable Cluster Features: guides/disable-cluster-features.md